3.4.1 Configuring Service-level Security Settings
Instance administrators can configure service-level security in Manage Instance, Security, Security Settings, Security.
Note:
To ensure the security and performance of your development environment, some administration functionality is not available in Oracle APEX instances running in Oracle Cloud.- Controlling Workspace Cookies
Determine if Application Express saves persistent cookies in the browser - Disabling Access to Administration Services
Prevent a user from logging in to Oracle APEX Administration Services. - Enabling Access to Administration Services
If access to Administration Services has been disabled, an Instance administrator can re-enable again by running the following SQL statements. - Disabling Workspace Login Access
Restrict user access to Application Express by disabling workspace login. Disabling workspace login in production environments prevents users from running Application Express applications such as App Builder. - Controlling Public File Upload
Use the Allow Public File Upload attribute to control whether unauthenticated users can upload files in applications that provide file upload controls. - Restricting User Access by IP Address
Restrict user access to the Oracle Application Express development environment and Administration Services by specifying a comma-delimited list of allowable IP addresses. - Configuring a Proxy Server for an Instance
Configure an entire Oracle APEX instance to use a proxy for all outbound HTTP traffic. - Selecting a Checksum Hash Function
Select a hash function that Application Express uses to generate one way hash strings for checksums. - Configuring Rejoin Sessions for an Instance
Controls at the application-level if whether URLs in this application contain session IDs. - Configuring Unhandled Errors
Control how Oracle APEX displays the results of unhandled errors
Parent topic: Configuring Security
3.4.1.1 Controlling Workspace Cookies
Determine if Application Express saves persistent cookies in the browser
Application Express uses the following persistent cookies:
-
ORA_WWV_REMEMBER_UN
- The development environment login page stores the Workspace and Username data in this cookie. It is used to populate these attributes with default values, when you log in again. -
LOGIN_USERNAME_COOKIE
- Customer application login pages use this cookie to store the Username. It is used to populate the attribute with a default value, when customers log in again. -
ORA_WWV_REMEMBER_LANG
- When using language selection in the development environment, Application Express stores the language and territory in this cookie. It is used to automatically show the application in the selected language when the application is used next time.
If your system has received cookies, you can physically remove it from its persistent location on disk using browser tools or system utilities.
To configure if Application Express to saves persistent cookies:
- Sign in to Oracle Application Express Administration Services.
- Click Manage Instance.
- Under Instance Settings, click Security.
- Locate the Security section.
- For Set Workspace Cookie, select one of the following:
-
Yes - Enables Application Express to save persistent cookies in the browser.
- No - Prevents persistent cookies from being sent.
-
- Click Apply Changes.
Parent topic: Configuring Service-level Security Settings
3.4.1.2 Disabling Access to Administration Services
Prevent a user from logging in to Oracle APEX Administration Services.
Instance administrators can prevent a user from logging in to Administration Services. Disabling administrator login in production environments prevents unauthorized users from accessing Administration Services and possibly compromising other user login credentials.
To disable user access to Administration Services:
Parent topic: Configuring Service-level Security Settings
3.4.1.3 Enabling Access to Administration Services
If access to Administration Services has been disabled, an Instance administrator can re-enable again by running the following SQL statements.
To enable user access to Administration Services if it has been disabled:
Parent topic: Configuring Service-level Security Settings
3.4.1.4 Disabling Workspace Login Access
Restrict user access to Application Express by disabling workspace login. Disabling workspace login in production environments prevents users from running Application Express applications such as App Builder.
To disable user access to the Internal workspace:
Parent topic: Configuring Service-level Security Settings
3.4.1.5 Controlling Public File Upload
Use the Allow Public File Upload attribute to control whether unauthenticated users can upload files in applications that provide file upload controls.
To control file upload:
Parent topic: Configuring Service-level Security Settings
3.4.1.6 Restricting User Access by IP Address
Restrict user access to the Oracle Application Express development environment and Administration Services by specifying a comma-delimited list of allowable IP addresses.
To restrict user access by IP address:
Parent topic: Configuring Service-level Security Settings
3.4.1.7 Configuring a Proxy Server for an Instance
Configure an entire Oracle APEX instance to use a proxy for all outbound HTTP traffic.
Note:
To ensure the security and performance of your development environment, this functionality is not available in Oracle APEX instances running in Oracle Cloud.Setting a proxy at the instance-level supersedes any proxies defined at the application-level or in web service references. If a proxy is specified, regions of type URL, Web services, and report printing will use the proxy.
To configure a proxy for an Oracle APEX instance:
- Sign in to Administration Services.
- Click Manage Instance.
- Under Instance Settings, click Security.
- Locate the Security section.
- In Instance Proxy, enter the address and port of the proxy to be used for the entire instance. In No Proxy Domains, enter a list of domains, for which the proxy server should not be used.
- Click Apply Changes.
Parent topic: Configuring Service-level Security Settings
3.4.1.8 Selecting a Checksum Hash Function
Select a hash function that Application Express uses to generate one way hash strings for checksums.
The Checksum Hash Function attribute enables you to react to recent developments and switch between algorithms based on new research. Use the Checksum Hash Function attribute to select a hash function that Oracle Application Express uses to generate one way hash strings for checksums. This attribute is also the default value for the Security Bookmark Hash Function attribute in new applications. Applications use the Bookmark Hash Function when defining bookmark URLs.
Tip:
Changing the Checksum Hash Function does not change the Bookmark Hash Function currently defined for existing applications because this would invalidate all existing bookmarks saved by end users. Oracle strongly recommends going into existing applications, expiring existing bookmarks, and then updating the Bookmark Hash Function to the same value defined for Checksum Hash Function.
To select a checksum hash function:
Parent topic: Configuring Service-level Security Settings
3.4.1.9 Configuring Rejoin Sessions for an Instance
Controls at the application-level if whether URLs in this application contain session IDs.
By configuring the Rejoin Sessions attribute, Instance administrators can control if Oracle Application Express supports URLs that contain session IDs. When Rejoin Sessions is enabled, Oracle Application Express attempts to use the session cookie to join an existing session, when a URL does not contain a session ID.
To use Rejoin Sessions at the applicaion or page-level, an administrator must enable Rejoin Sessions at the instance-level. A more restrictive instance-level setting overrides application and page settings.
Warning:
For security reasons, Oracles recommends that administrators disable support for session joining unless they implement workspace isolation by configuring the Allow Hostname attributes. See "Isolating a Workspace to Prevent Browser Attacks" and "Isolating All Workspaces in an Instance."
Note:
Enabling rejoin sessions may expose your application to possible security breaches by enabling attackers to take over existing end user sessions. To learn more, see "About Rejoin Sessions" in Oracle APEX App Builder User’s Guide.
To configure Rejoin Sessions:
- Sign in to Oracle Application Express Administration Services.
- Click Manage Instance.
- Under Instance Settings, click Security.
- Locate the Security section.
- From Rejoin Sessions, select an option:
- Disabled - If the URL does not contain a session ID, Oracle Application Express creates a new session.
- Enabled for Public Sessions - If the URL goes to a public page and does not contain a session ID Application Express attempts to utilize the existing session cookie established for that application. For applications with both public and authenticated pages, a session ID is defined after the end user authenticates. Application Express only joins via the cookie when the session is not yet authenticated.
- Enabled for All Sessions - If the URL does not contain a session ID, Oracle Application Express attempts to use the existing session cookie established for that application, providing one of the following conditions are met:
-
Session State Protection is enabled for the application and the URL includes a valid checksum. For public bookmarks, the most restrictive item level protection must be either Unrestricted or Checksum Required - Application Level.
-
The URL does not contain payload (a request parameter, clear cache or data value pairs). This setting requires that Embed In Frames is set to Allow from same origin or to Deny for the application.
Enabled for All Sessions requires that Embed in Frames is set to Allow from same origin or Deny. This is not tied to a condition about the URL payload, but also applies to session state protected URLs.
-
- Click Apply Changes.
See Also:
-
"Configuring Rejoin Sessions for a Page" in Oracle APEX App Builder User’s Guide
-
"Session Management" in Oracle APEX App Builder User’s Guide to learn how to configure Rejoin Sessions at the application-level
Parent topic: Configuring Service-level Security Settings
3.4.1.10 Configuring Unhandled Errors
Control how Oracle APEX displays the results of unhandled errors
Note:
To ensure the security and performance of your development environment, this functionality is not available in Oracle APEX instances running in Oracle Cloud.When Oracle APEX encounters an unhandled error during processing, an error page displays to the end user of the application. From a security standpoint, it is often better to not display these messages and error codes to the end user and simply return a HTTP 400 (Bad Request) error code to the client browser.
To configure Unhandled Errors:
Parent topic: Configuring Service-level Security Settings